Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer readable medium having instructions embodied therewith, the instructions executable by a processor or programmable circuitry of a federation server to cause the processor or programmable circuitry to perform operations comprising: configuring, by the federation server, a plurality of identification (ID) federations between the federation server and a plurality of applications, each of the plurality of ID federations being between the federation server and a respective one of the plurality of applications; receiving, by the federation server, a first authentication request via the user's client device from a first application of the plurality of applications for authenticating a user on a second application of the plurality of applications selected by the user, the user having been authenticated on the first application using an ID federation between the first application and the federation server, the first authentication request including an identifier of the second application; and sending, by the federation server, a second authentication request via the users client device to the second application, the second authentication request including authentication information associated with the second application for authenticating the user using an ID federation between the federation server and the second application.
This invention relates to identity federation systems, specifically methods for enabling seamless authentication across multiple applications using a central federation server. The problem addressed is the need for users to repeatedly authenticate when accessing different applications, even if they have already authenticated with a trusted identity provider. The solution involves a federation server that manages multiple identity federations with various applications, allowing users to authenticate once and access multiple services without redundant logins. The federation server establishes identity federations with each application, creating secure trust relationships. When a user authenticated on a first application requests access to a second application, the federation server receives this request, which includes the second application's identifier. The server then sends an authentication request to the second application, including the necessary authentication information, enabling the user to access the second application without re-entering credentials. This system streamlines user access while maintaining security through federated identity management. The approach reduces login friction and improves user experience across multiple applications.
2. The computer readable medium of claim 1 , wherein: configuring includes configuring a first unidirectional ID federation directed from the first application to the federation server and a second unidirectional ID federation directed from the federation server to the second application; receiving includes receiving the first authentication request for authenticating the user using the first unidirectional ID federation; and sending includes sending the second authentication request for requesting the second application to authenticate the user using the second unidirectional ID federation.
This invention relates to identity federation systems that manage authentication between multiple applications and a central federation server. The problem addressed is the need for secure and efficient user authentication across different applications while maintaining control over identity data flow. The system involves configuring two unidirectional identity federations. The first federation is directed from a first application to a federation server, allowing the application to authenticate users by delegating authentication requests to the server. The second federation is directed from the federation server to a second application, enabling the server to request authentication from the second application on behalf of a user. When a user attempts to access the first application, an authentication request is sent to the federation server via the first federation. The server then forwards a second authentication request to the second application using the second federation, ensuring the user is authenticated by the second application before granting access. This approach allows for centralized identity management while supporting secure, bidirectional authentication flows between applications and the federation server. The system ensures that authentication requests are properly routed and processed, maintaining security and reducing the need for redundant authentication mechanisms.
3. The computer readable medium of claim 1 , further comprising: registering an ID mapping of the user, the ID mapping indicating a correspondence between a first user ID on the first application and a second user ID on the second application; and converting the first user ID indicated in the first authentication request to the second user ID based on the ID mapping.
This invention relates to a system for managing user authentication across multiple applications. The problem addressed is the difficulty of maintaining consistent user identity and authentication when a user interacts with different applications that may use distinct user identification schemes. The solution involves a computer-readable medium that stores instructions for handling authentication requests between a first application and a second application. The system registers an ID mapping that establishes a correspondence between a first user ID used in the first application and a second user ID used in the second application. When an authentication request is received from the first application, the system converts the first user ID in the request to the second user ID based on the registered ID mapping. This allows seamless authentication and identity management across different applications, ensuring that the same user is recognized consistently regardless of the application being used. The system may also include additional features such as generating authentication tokens for the second application based on the converted user ID and validating the authentication requests to ensure security. The overall goal is to simplify cross-application authentication while maintaining security and user consistency.
4. The computer readable medium of claim 3 , further comprising predicting the second user ID from the first user ID based on an ID assignment rule of the second application.
A system and method for cross-application user identification involves analyzing user behavior across multiple applications to link user identities. The technology addresses the challenge of tracking user activity when different applications assign unique identifiers to the same individual, making it difficult to correlate actions or preferences. The system collects interaction data from a first application, where a user is identified by a first user ID, and determines a second user ID for the same user in a second application. This is achieved by applying an ID assignment rule specific to the second application, which may involve pattern recognition, behavioral analysis, or other predictive techniques. The system then associates the first and second user IDs, enabling unified user profiling and personalized experiences across applications. The method may also include validating the predicted second user ID by cross-referencing additional data points or confirming consistency in user behavior. This approach enhances data accuracy for analytics, marketing, and user experience optimization while respecting privacy constraints. The solution is particularly useful in environments where applications operate independently but share a common user base, such as social media platforms, e-commerce systems, or enterprise software suites.
5. The computer readable medium of claim 1 , further comprising registering a group of two or more applications of the plurality of applications that allow authentications using the plurality of ID federations, wherein sending includes sending the second authentication in response to a condition that the first application and the second application are in the group.
This invention relates to a system for managing authentication across multiple applications using identity federation services. The problem addressed is the complexity of handling authentication requests between different applications that rely on various identity federation protocols, such as OAuth, SAML, or OpenID Connect, without requiring users to repeatedly log in. The system includes a computer-readable medium storing instructions that, when executed, perform authentication management. A plurality of applications are registered with the system, each configured to authenticate users via one or more identity federation services. The system receives a first authentication request from a first application and authenticates a user through a selected identity federation service. When a second application requests authentication, the system checks if the first and second applications are part of a predefined group of applications that share authentication credentials. If they are, the system sends a second authentication response to the second application without requiring the user to re-authenticate, leveraging the existing authentication session from the first application. This reduces login friction and improves user experience by avoiding redundant authentication steps across federated applications. The system may also handle token exchange or session synchronization between the applications to maintain secure and consistent authentication states.
6. The computer readable medium of claim 1 , further comprising registering a relationship among the plurality of applications, the relationship defining one or more applications that are allowed to login from each application using the plurality of ID federations.
This invention relates to identity federation systems in computing environments, specifically addressing secure cross-application authentication. The problem solved is managing access permissions across multiple applications that use different identity federation protocols, ensuring only authorized applications can initiate logins from one another. The system involves a computer-readable medium storing instructions for a method that registers relationships between applications, defining which applications are permitted to authenticate users from other applications within a federated identity framework. This includes establishing trust relationships and access controls to prevent unauthorized cross-application logins. The method ensures secure and controlled authentication flows, reducing the risk of unauthorized access while maintaining interoperability between diverse identity federation systems. The invention enhances security by explicitly defining allowed login paths, preventing unauthorized applications from initiating federated logins. This is particularly useful in environments where multiple applications rely on different identity providers but need to share authentication sessions securely. The solution improves upon prior art by providing granular control over cross-application authentication permissions, addressing gaps in existing identity federation systems that lack explicit relationship definitions.
7. The computer readable medium of claim 1 , wherein: the first authentication request designates the first application as an ID provider and the federation server as a service provider; and the second authentication request designates the federation server as an ID provider and the second application as a service provider.
This invention relates to a system for managing authentication requests in a federated identity environment. The problem addressed is the need to securely and efficiently handle authentication between multiple applications and a federation server, ensuring proper role designation during the authentication process. The system involves a computer-readable medium storing instructions for processing authentication requests. When executed, the instructions cause a computing device to receive a first authentication request from a first application, where the first application is designated as an identity provider (IDP) and the federation server is designated as a service provider (SP). The system then processes this request to authenticate the user. Additionally, the system receives a second authentication request from the federation server, where the federation server is designated as the IDP and a second application is designated as the SP. The system processes this request to authenticate the user with the second application. The system ensures that authentication roles are correctly assigned during each request, allowing seamless and secure identity federation between applications and the federation server. This approach improves security by clearly defining the roles of each party in the authentication process, reducing the risk of misconfigured or unauthorized access. The solution is particularly useful in environments where multiple applications need to rely on a central federation server for identity management.
8. The computer readable medium of claim 1 , wherein the first authentication request includes a Uniform Resource Identifier (URL) of the federation server including the second application as a target of the second authentication request.
This invention relates to secure authentication systems, specifically in federated identity management environments where multiple applications rely on a central authentication server. The problem addressed is ensuring secure and efficient authentication between a first application, a user, and a second application via a federation server, particularly when the second application requires additional authentication steps. The system involves a computer-readable medium storing instructions for a first application to generate a first authentication request for a user. This request includes a Uniform Resource Identifier (URL) of a federation server, which specifies the second application as the target for a subsequent authentication request. The federation server processes the first request, authenticates the user, and then generates a second authentication request directed to the second application using the provided URL. This ensures that the authentication flow is properly routed to the correct application, maintaining security and reducing the need for manual intervention. The system may also include additional security measures, such as validating the URL to prevent unauthorized redirection. The overall solution improves the reliability and security of federated authentication processes by ensuring proper routing and authentication delegation.
9. A system comprising: a configuring section, of a federation server, to configure a plurality of identification (ID) federations between the federation server and a plurality of applications such that each of the plurality of ID federations is between the federation server and one of the plurality of applications; a receiving section, of the federation server, to receive a first authentication request via the user's client device from a first application of the plurality of applications for authenticating a user on a second application of the plurality of applications selected by the user, the user having been authenticated on the first application using an ID federation between the first application and the federation server, the first authentication request including an identifier of the second application; and a sending section, of the federation server, to send a second authentication request via the user's client device to the second application, the second authentication request including authentication information associated with the second application for authenticating the user using an ID federation between the federation server and the second application.
The system enables seamless authentication across multiple applications using identity federation. In environments where users interact with multiple applications, managing separate logins for each can be cumbersome. This system addresses this by allowing users to authenticate once and access multiple applications without repeated logins. The system includes a federation server that establishes identity federations between itself and multiple applications. Each federation links the server to a single application, enabling secure authentication sharing. When a user, already authenticated on a first application, requests access to a second application, the system processes this request. The federation server receives the initial authentication request from the first application, which includes the identifier of the second application. The server then sends a second authentication request to the second application, including the necessary authentication information. This allows the user to access the second application without re-entering credentials, leveraging the existing identity federation between the server and the second application. The system streamlines authentication workflows, reducing user friction and enhancing security by centralizing identity management.
10. The system of claim 9 , wherein: the configuring section is further configured to configure a first unidirectional ID federation directed from the first application to the federation server and a second unidirectional ID federation directed from the federation server to the second application; the receiving section is further configured to receive the first authentication request for authenticating the user using the first unidirectional ID federation; and the sending section is further configured to send the second authentication request for requesting the second application to authenticate the user using the second unidirectional ID federation.
This invention relates to identity federation systems that enable secure authentication across multiple applications. The problem addressed is the need for a flexible and secure way to manage authentication requests between applications and a central identity provider, ensuring proper user identity verification while maintaining system security. The system includes a federation server that manages identity federations between multiple applications. It configures unidirectional identity federations, where authentication requests flow in one direction only. Specifically, it establishes a first unidirectional federation from a first application to the federation server, allowing the first application to send authentication requests to the server. A second unidirectional federation is set up from the federation server to a second application, enabling the server to request authentication from the second application. The system receives an authentication request from the first application, which uses the first unidirectional federation to verify a user's identity. If needed, the system sends a second authentication request to the second application via the second unidirectional federation, ensuring the user is authenticated by the second application as well. This approach allows for secure, controlled authentication flows between applications and the identity provider, reducing the risk of unauthorized access while maintaining flexibility in authentication processes.
11. The system of claim 9 , further comprising one or more application servers operable to execute the plurality of applications.
A system for managing and executing multiple applications in a distributed computing environment addresses the challenge of efficiently deploying and scaling applications across diverse computing resources. The system includes a plurality of applications, each designed to perform specific tasks or services, and a distributed computing environment comprising multiple computing nodes. These nodes are interconnected and configured to host and execute the applications, ensuring high availability, scalability, and fault tolerance. The system further includes one or more application servers that are responsible for executing the applications. These servers manage the lifecycle of applications, including deployment, monitoring, and termination, while optimizing resource utilization across the distributed environment. The system may also include a load balancer to distribute incoming requests to the appropriate computing nodes based on factors such as node capacity, application requirements, and network conditions. Additionally, the system may incorporate a configuration manager to dynamically adjust application settings and resource allocations in response to changing workload demands. The overall architecture ensures seamless integration, efficient resource management, and reliable execution of applications in a scalable and resilient manner.
12. The system of claim 9 , further comprising: a registering section to register an ID mapping of the user, the ID mapping indicating a correspondence between a first user ID on the first application and a second user ID on the second application; and a converting section to convert the first user ID indicated in the first authentication request to the second user ID based on the ID mapping.
This invention relates to a system for managing user authentication across multiple applications. The problem addressed is the difficulty of maintaining consistent user identity and authentication when a user interacts with different applications that may use distinct user identification schemes. The system enables seamless authentication by mapping user IDs between applications, ensuring that a user authenticated in one application can access another application without re-authenticating. The system includes a registering section that creates and stores an ID mapping for a user, which establishes a correspondence between a first user ID used in a first application and a second user ID used in a second application. This mapping allows the system to recognize that the same user is accessing different applications under different identifiers. Additionally, the system includes a converting section that translates the first user ID from an authentication request in the first application into the second user ID based on the stored ID mapping. This conversion ensures that authentication credentials and permissions can be properly applied across applications, maintaining security and user experience. The system may also include an authentication section that verifies the user's credentials in the first application and an authorization section that grants access to the second application based on the converted second user ID. This approach simplifies multi-application authentication workflows, reducing redundancy and improving efficiency for users and administrators. The system is particularly useful in environments where users frequently switch between applications, such as enterprise software ecosystems or integrated service platforms.
13. A method comprising: configuring, by the federation server, a plurality of identification (ID) federations between a federation server and a plurality of applications such that each of the plurality of ID federations is between the federation server and one of the plurality of applications; receiving, by the federation server, a first authentication request via the user's client device from a first application of the plurality of applications for authenticating a user on a second application of the plurality of applications selected by the user, the user having been authenticated on the first application using an ID federation between the first application and the federation server, the first authentication request including an identifier of the second application; and sending, by the federation server, a second authentication request via the user's client device to the second application, the second authentication request including authentication information associated with the second application for authenticating the user using an ID federation between the federation server and the second application.
This invention relates to identity federation systems, specifically methods for enabling seamless authentication across multiple applications without requiring users to re-authenticate. The problem addressed is the inefficiency and inconvenience of users needing to log in separately to each application they access, even when they are already authenticated in a federated environment. The method involves a federation server that manages multiple identity federations, each linking the server to a distinct application. When a user, already authenticated on a first application, requests access to a second application, the federation server receives an authentication request from the first application. This request includes an identifier for the second application. The federation server then sends a second authentication request to the second application, using the pre-established federation between the server and the second application. This request includes authentication information specific to the second application, allowing the user to access it without additional login steps. By leveraging existing federations, the system streamlines cross-application authentication, reducing user friction and improving security by minimizing redundant authentication processes. The method ensures that authentication is handled efficiently while maintaining secure identity management across multiple applications.
14. The method of claim 13 , wherein: configuring includes configuring a first unidirectional ID federation directed from the first application to the federation server and a second unidirectional ID federation directed from the federation server to the second application; receiving includes receiving the first authentication request for authenticating the user using the first unidirectional ID federation; and sending includes sending the second authentication request for requesting the second application to authenticate the user using the second unidirectional ID federation.
This invention relates to identity federation systems, specifically methods for managing authentication between multiple applications and a central federation server. The problem addressed is the need for secure and efficient identity authentication across different applications while maintaining control over authentication flows. The method involves configuring unidirectional identity federations between a first application, a federation server, and a second application. The first federation is unidirectional from the first application to the federation server, allowing the first application to authenticate users via the server. The second federation is unidirectional from the federation server to the second application, enabling the server to request authentication from the second application. When a user attempts to access the first application, an authentication request is received and processed using the first unidirectional federation. If the user needs to access the second application, the federation server sends a second authentication request to the second application, leveraging the second unidirectional federation. This ensures that authentication flows are controlled and secure, with each application and the server handling authentication in a defined direction. The approach improves security by isolating authentication paths and simplifies integration by standardizing federation configurations. It is particularly useful in environments where multiple applications require centralized identity management with controlled authentication delegation.
15. The method of claim 13 , further comprising: registering an ID mapping of the user, the ID mapping indicating a correspondence between a first user ID on the first application and a second user ID on the second application; and converting the first user ID indicated in the first authentication request to the second user ID based on the ID mapping.
This invention relates to user authentication systems that facilitate seamless access across multiple applications. The problem addressed is the difficulty of managing user identities when accessing different applications, which often require separate authentication processes. The solution involves a method for authenticating a user across a first application and a second application, where the user is authenticated in the first application and then granted access to the second application without requiring a separate authentication step. The method includes receiving a first authentication request from the first application, where the request includes a first user ID and a first authentication token. The system verifies the first authentication token with the first application and, upon successful verification, generates a second authentication token for the second application. The second authentication token is then sent to the second application, allowing the user to access it without additional authentication. Additionally, the method includes registering an ID mapping that links the first user ID from the first application to a second user ID in the second application. When the first user ID is received in the authentication request, the system converts it to the second user ID using this mapping, ensuring consistent user identification across both applications. This approach simplifies user access and reduces the need for multiple authentication steps.
16. The method of claim 15 , further comprising predicting the second user ID from the first user ID based on an ID assignment rule of the second application.
A system and method for cross-application user identification involves analyzing user behavior across multiple applications to determine whether the same individual is using different applications. The method identifies a first user ID associated with a first application and a second user ID associated with a second application. The system correlates these IDs by analyzing behavioral patterns, such as usage timing, device characteristics, or interaction sequences, to determine if they belong to the same user. The method further includes predicting the second user ID from the first user ID based on an ID assignment rule of the second application. This prediction may involve applying known patterns or algorithms used by the second application to generate user identifiers, allowing the system to infer relationships between IDs even when direct correlation is not possible. The approach improves user tracking and personalization across applications while maintaining privacy by avoiding explicit user identification. The system may be used in advertising, analytics, or security applications where understanding cross-platform user behavior is valuable.
17. The method of claim 13 , further comprising registering a group of two or more applications of the plurality of applications that allow authentications using the plurality of ID federations, wherein sending includes sending the second authentication in response to a condition that the first application and the second application are in the group.
This invention relates to authentication systems that manage multiple applications and identity federations. The problem addressed is the need to streamline authentication processes across different applications that rely on various identity federations, ensuring secure and efficient access control. The method involves a system that registers a group of two or more applications from a set of applications, where these applications support authentication through multiple identity federations. When a user attempts to access a first application, the system sends a first authentication request to an identity federation associated with that application. If the user is successfully authenticated, the system then sends a second authentication request to a second application, but only if the first and second applications are part of the registered group. This conditional sending ensures that authentication is propagated only between trusted or related applications, enhancing security and reducing redundant authentication steps. The system dynamically manages authentication flows based on predefined groups, allowing seamless access across applications while maintaining security. This approach minimizes user friction by avoiding repeated logins for grouped applications while ensuring that authentication is only shared between authorized applications. The method improves efficiency in multi-application environments where identity federations are used for access control.
18. The method of claim 13 , further comprising registering a relationship among the plurality of applications, the relationship defining one or more applications that are allowed to login from each application using the plurality of ID federations.
This invention relates to identity federation systems used in multi-application environments. The problem addressed is managing secure access across multiple applications that rely on different identity providers (ID federations) while controlling which applications can initiate login sessions from others. The solution involves a method that registers relationships between applications, specifying which applications are permitted to log in from each other using the available identity federations. This ensures that only authorized applications can establish federated login sessions, enhancing security and access control in distributed systems. The method may also include steps for authenticating users, validating credentials, and enforcing access policies based on the registered relationships. By defining these relationships, the system prevents unauthorized cross-application logins, reducing the risk of security breaches while maintaining seamless user access across federated environments. The approach is particularly useful in enterprise settings where multiple applications must interoperate securely without compromising identity management.
19. The method of claim 13 , wherein: the first authentication request designates the first application as an ID provider and the federation server as a service provider; and the second authentication request designates the federation server as an ID provider and the second application as a service provider.
This invention relates to a federated identity management system that enables secure authentication across multiple applications using a federation server. The problem addressed is the complexity of managing user authentication when multiple applications require independent login credentials, leading to inefficiencies and security risks. The system involves a federation server that acts as an intermediary between applications to streamline authentication. A first application initiates authentication by sending a request to the federation server, designating itself as an identity provider (IDP) and the federation server as a service provider (SP). The federation server then generates a second authentication request, designating itself as the IDP and a second application as the SP. This allows the second application to authenticate the user without requiring direct interaction with the first application. The federation server handles the exchange of authentication tokens between the applications, ensuring secure and seamless access. The system reduces the need for users to manage multiple credentials while maintaining security through federated identity protocols. This approach improves user experience and simplifies identity management across distributed systems.
20. The method of claim 13 , wherein the first authentication request includes a Uniform Resource Identifier (URL) of the federation server including the second application as a target of the second authentication request.
This invention relates to authentication systems in federated environments, specifically improving the process of redirecting authentication requests between applications. The problem addressed is the inefficiency and complexity in handling authentication requests across multiple applications in a federated identity management system, where users must authenticate with a central identity provider before accessing different applications. The method involves a first application receiving an authentication request from a user. The first application then generates a first authentication request and sends it to a federation server, which acts as an intermediary for authentication services. The federation server processes this request and generates a second authentication request targeting a second application. The second application receives this request and authenticates the user, then sends a response back through the federation server to the first application, completing the authentication flow. A key aspect of this method is that the first authentication request includes a Uniform Resource Identifier (URL) of the federation server, specifying the second application as the target for the second authentication request. This ensures that the authentication process is correctly routed to the intended application, improving efficiency and reducing errors in federated authentication flows. The method streamlines the interaction between applications and the federation server, enhancing security and user experience in multi-application environments.
Unknown
November 10, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.